Links

Friday, May 11, 2012

From LOW to PWNED [7] HTTP PUT/WebDAV/SEARCH

Man I love mis-configured WebDAV, I have put a foot in many a network's ass with a writable WebDAV server. Like the browsable directories thing, its *usually* not writable, but it occurs often enough that you really have to make sure you check it each time you see it.

LOW?

IIS5 is awesome (not) because WebDAV is enabled by default but web root is not writable. Wait who still runs Windows 2000?! i know i know app cant be rewritten...accepted risk...blah blah...no one will ever use this to pwn my network...its ok if that DA admin script logs into it daily....

The "game" is finding the writable directory (if one exists) on the WebDAV enabled server.
*Dirbusting and ruby FTW*

I find that its usually NOT the web root, so honestly it can be a challenge to find the writable directory. VA scanners can help, Nessus will actually tell you methods allowed per directory...still a challenge though.